You are on page 1of 5

Technologies for E-Commerce: India Initiatives

Ashutosh Saxena and A. R. Dani, Institute for Development and Research in Banking Technology, IDRBT, Castle Hills, Road No. I , Masab Tank, Hydcrabad, (AP) INDIA. Einails (asaxena, ardani} Considering the strategic importance of Econinicrce, Ministry of Information Technology, Government of India - sponsorcd a project to develop Technologics for E-Commerce in the country. The research and devclopment activities were jointly carried out by IDRBT and CMC Ltd. Under this project integrated product suite for conducting end-to-cnd c-Commercc transaction using credit card and e-chequc with PKl technology for payment purposes and to address the perimeter security firewall and intruder detection system, wcrc devclopcd. The paper discusses various payment instruments and present onc of them namcly e-cheque protocol and development activities along with its usage and advantagcs over other.

Ovcr thc past decadc, applications of communications and information technologics havc bcgun to cmcrgc in practically every aspect of economic activity. Their predominance in modern industry and in society as a whole has creatcd what some have called a Digital Economy, whcrc growth, coinpetitivcncss and wcalth creation are increasingly dependent on rapid technological innovation. Electronic commcrcc is often considercd the economic engine for growth in the Digital Economy. Its scope and impacts rangc far bcyond Internet-bascd rctail distribution and clcctronic shopping, potcntially rcaching most if not all business-to-business /consumer/govemment relationships across the cconomy. e-commerce will provide new value by intcgrating information with the processcs to provide a uniticd view of thc business for customers, partners, and internal participants. Infonnation will be automatically and Instantly combined and delivcred in new ways to persuade, inform and improvc overall quality of scrvicc. Proccsscs will iiiovc fjstcr and inorc accurately, and interactions with ciistomcrs and partners will autoinatically generate information that will provide new insights for business strategies and decision-making. In fact, the predominance of coniputcr tcchnologics, and thc incrcasing scopc and utility of information nctworks such as the Intcrnct, have made possible the shifting of a vast range of industrial activities and processes to clectronic form. It is said that the Internet is the markctplacc of thc future. Although few years back thc Internct has bccn primarily uscd as a incans of publishing inforination about a companys goods and

services. many vendors have now begun to offer their products in electronic departmental stores. Use of ecommerce, electronic trading over the Internet or other open networks, is expected to increase at an impressive rate and holds out the prospect of huge profits. Analysts stated that the value of business-to-business e-commerce in the United States will grow from $1.2 trillion in year 2001 to $4.8 trillion by 2004 [ 11. The Nasscom-McKinsey report predicts that India has the potential to create an e-commerce value worth US$1.5 billion by 2004 and US$lO billion by 2010. Business-to-consumer and business-to-government ecommcrce arc also projectcd to expand significantly. For progressive corporations that find ways to capitalize on the business opportunities with this increasing volume represents, the rewards are considerablc, but of course, with a layer of security risks. Thus the major requirement for e-commcrce is to provide the highly secure and trusted environmcnt over the Internet for conducting commercial transactions. This reqGres autlicntication of transacting partics, privacy, message intcgrity and non-repudiation. Digital signatures and Public Key Infrastructure (PKI) technology address this requirement of e-commerce. For business organization, it is important to securc its intranct from the opcn network and provide selective access control and intrudcr detcction mechanism. Many of the above technologies, which provide necessary security are expensive and arc subjectcd to cxport controls, further these security products may havc trap doors. One of the most important components of e-commerce is-epayment method over Internet. The availablc payment technologies are expensive and are suitable for thc advanced countries. For Indian market, chcque is thc most widcly used paynicnt instrument and hencc needs to be available on the lntcmet. Internet comincrce providcs opportunity for Small Scale Industrics (SSI) to bc globally coinpctitive. It also hclps them to reach global customers without spcnding substantially on marketing or advertising activities. This can result in greater customer base and thereby increased production. It can also help them obtain the information on latest trends in market and tcchnology. It has to be notcd that SSI sector is one of the most important sector of Indian economy and that developing countries. It is also agreed now that the agricultural sector can also dcrive substantial bcncfits from the use of Intcrnet Commcrcc.

Poster Papers / 1435

Coiisidcring thc strategic importance of these technologies to critical sectors of economy, Ministry of Information Technology - Government of India sponsorcd a project to dcvclop the Technologies for E-Commerce i n the country. The rcscarch and devclopinent activities were jointly carried out by Institute J;)r Development and Reseurch in Banking Technologv (IDRBT) and CMC Ltd. Where as for the deployment of the developed technologies, for the pilot run, werc carried out with othcr partners in this project Hvder.uhad Wakr Supply und Sewerage Board and Andhra Bank, as merchant establishment and participating bank respectively. Thc projcct startcd i n April 1999, and as part of this, it was dccidcd to dcvclop the intcgratcd product suitc for conducting end-to-end e-commerce transaction using cheque and credit card payment for paynicnt purposes and nctwork sccurity tcchnologics such as Fircwall and Intruder Dctcction System to address the pcrimetcr security. The projcct in brief is given in next section and payment instriimcnts, which were developed under this project, are discusscd in subscquent section followed by the concluding rcmarks. In this papcr we will bc discussing :n detail about thc payment instrument e-cheqzre. product suit also includes thc elcctronic bill prcscntation and payment system (eBillPay), which could bc used and shared by the nuinbcr of billcrs for displaying the bills along with payment status to their consumer and accepting the payment. Interface with billers and banks uses Interactive Financial exchange (IFX) standard. SET and FSML needs public key infrastructure (PKI) support, thus it was decided to make the PKI a gcneralpurpose product (i-Cert) so that it could be uscd to issue not only SET and FSML certificates but also SSL and S/MIME certificates. As a part of this project we have developed thc indigenous PKI solution that provides higher-grade cryptography support (RSA 2048 bit). The PKI product supports various PKCS standards and also integrated with a FIPS 140-1 (level 3) compliant Hardware Security Module (HSM). The usage of FIPS 140-1 (levcl 3 ) compliant Hardware Sccurity Module (HSM) is also rccomincndcd in Indian Information Tcchnology Act 2000 (IT-Act 2000). For a network security, Firewall and lntrudcr Detection System are developed along with a user manual and Red Book on Network Security using which thc security audits can be conducted. A user guidc on how to sct up S C C L I ~ C machineshctworks (for Unix and .Windows) is also produced. Indian Business Organizations arc not ablc to exploit this tcchnology bccausc of lack of training. It is ncccssary to conduct training in these technologics. Hence one national seminar and two training programs wcrc conducted to spread the awareness and tcchnology to thc industry organizations. Also the pilot implcmcntation was bcing carried out for Watcr Bill Paymcnt at Hyderabad Metro Water Supply and Sewerage Board and Andhra Bank as merchant establishnicnt and bank respectively.


Aftcr a careful initial study, it WAS decided to develop credit card payment using Secu:c Electronic Transaction [2] (SET) protocol by VISA and MASTERCARD and Secure Socket Laycr[3] (SSL) bascd credit card payment. Financial Services Marki:p Language [4] (FSML), developed by Financial Services Technology Consortium (FSTC) was selected to devclop e-cheque. The reasons for these are: SSL is very popular in USA and provide a levcl of confidence in user. SET is more supcrior in inecting business needs such as privacy, non-repudiation. FSML is based on XML standards and supports busincss needs such as attaching business documents with cheque, co-signing, counter signing, endorse, etc. Cheque book is iinplemcnted on smart card for high security and it is also impieinented on floppy for low cost. It is very important that a common user can make the payment with ease, for this purpose, an electronic wallet (digiPurse) is developcd to liold-wrious-paymcnt instruments, to conduct secure transactions using any of the instruments stored with a click of a mouse button and to keep record of the transactions conducted. Considering the Indian scenario, where more than otic person shares the computer, the wallct is also designed in such a way that the multiple users is feasible. Wallet is also made transportable so that people can use Internet kiosks. Wallet uses Electronic Commerce Modeling Language (ECML). Other products in the suite include payment server (ePayServ) for onlinc merchants and service providers to acccpt Internet based payments from their customers and payment gateway (Gate E-Way) for the banks-to accept the payment instructions from their merchant clients. The


The rapid coiiiincrcializatioii and growth of public networks, especially the Internet with its growing uscr base, is creating a huge potential worldwide electronic markctplace. Corporations today have more payincnt options than ever before. In rccent years, a nunibcr of ncw electronic payment channels have emerged that minimize or eliminate the labour and expense of traditional cheque and remittance payment streams. However, many companics havc bccn slow to takc advantage of these innovations. I n part, that is bccausc sonic of the new payment alternativcs, such as Financial Electronic Data Interchange (FEDI), require users to incur significant costs and to substantially rc-cnginccr thcir disbursement and collcction processcs and incur significant up-front costs. In the past scveral years there have been various Internet payment efforts and new proposals. Most of these efforts take one of the approachcs; crcating totally new payment vehiclcs (digital cash, micro paynicnts), improving and electronifying todays payincnt products (Electronic Cheque, SET). Many of these approachcs havc been intendcd to create a proprietary approach to payments,

TENCON 2003 / 1436

and thcn to capturc cnough inarkct sharc to stakc out a significantly the Intcrnet payments.
3. I Credit CLIl*d

With credit cards; the payer does not actually pay the payee. Instcad. the issucr cxtcnds crcdit to thc payer, and the issuer pays the payec. Also, the acceptors of credit cards are I imi tcd . The inherent requirement of the extension of credit makes thc crcdit card unsuitablc for many types of business transactions. Diffcrent typcs of busincss requircnients, such as a two signatures, or diffcrent signers on the same account with different limits, cannot be supported by the credit card. The Credit Card has other disadvantages as well like I . High transaction cost - Onlinc conncctivity 2. Risk for issuing bank 3. Customer Risk - Card Number can be hacked (even from the Gateway) 4. Furthcr Crcdit Cards are not suitablc for high value transactions. The other problems are the two protocols SET and SSL are used for providing security. SET is costly to implement and SSL is easy to implcmcnt. Howcvcr SET cnsures that merchant will ncvcr gets thc Credit Card Number of buyer. This is not ensured in SSL. In addition to it SSL also suffers from the problem of default certificate. However in SET the implementation is complex. In the Credit Card Payment, the merchant is assured of payment once the positive acknowledgement is received from the gateways of banks and brand. However the acquirer bank makes payment to merchant only after lag of certain period of time. In other words there is some timc lag bctwccn thc timc of transaction and actual payment. In niany countries Credit Cards ate treated as the contract betwecn banks and customers. It does not enjoy same status as say papcr chcques. 3.2 Debit Card Dcbit cards face similar restrictions, as do credit cards. In addition, most debit cards carry low transaction limits. Most debit card transactions are in fact "off-line" transactions, with the actual financial processing occurs wcll after the transaction. While on-line debit card activity is processed immediately to the customer's and merchant's accounts. In Onlinc or Offlinc Debit Card Payments there is some time lag bctween the transaction time and actual payment. The Dcbit Cards are not suitable for high value business to business transactions. The issues how it should be regulated, how it is to be issued and other operational issues are still being discussed by diffcrent Central Banks. 3.3 Digital C d i mid Micro Payments Digital cash and micro payments reprcscnt two similar schools of new and emerging payments. Digital cash is sometimes also grouped with stored value products. A number of diffcrent digital cash-like systcnis havc bcen proposcd and arc in various phascs of developmcnt or trial. These systems are all based on proprietary approaches, and do not truly intcroperate. Some of the major players in this

arena arc: Digicash. Cybcrcash, Mondcx (Mastercard), Proton, and Visa Cash. The Digicash and Cybcrcash systems are designed for online use, while Mondex, Proton (used by American Express), and Visa Cash were initially designed as card-based systems to replace physical cash at the point of sale. Most of these systems are anonymous to the buyer. They are designed to reduce the use of cash, and in many cases, transfer of actual value from a bank account to thc user's card or system takes place. Micro paymcnts arc payments that are vcry low in valuc, with an upper threshold of either $ I O or $ 20 (no standard definition exists). The digital cash systems often target these transactions, the cquivalent to pocket changc. I n addition to thcse systcms, most notably Millicent, from Digital Equipment, hopc to makc valuc transfcr incxpcnsivc enough to be used for transactions below a penny in cost. These types of payment instruments have raised scveral legal issues. The regulatory issues about these type of paymcnt instruments arc still bcing debatcd and discusscd. 3.4 SET SET, Secure Electronic Transactions is the solution developed by Visa, Mastercard, and a host of other companics to sccure crcdit card transactions on thc Intcrnct. The system is endorsed by all thc major crcdit card companies and provides excellent security and structure for using credit cards and co-branded dcbit cards over the Internet. A large number of SET pilots arc undcrway in thc US and abroad, and thcse pilots are hclping to provide consumer, merchant, and financial institution reaction to the protocol and implementation issues. SET guarantecs that the crcdit card numbcr of the buyer will rcmain fully sccurcd. Evcn merchant does not sce it. Due to its complex and costly implementation vcry few Internet commerce sites support it. A site must have SET inark on its opcning pagc, so that buycr knows that thc site supports SET. 3.5 Electronic Cheque A Chequc is a signed paper docuincnt that is payer's order to his bank orders the signer's bank to pay an amount of money to a person specified in the cheque or bearer from the signer's account on or after a specificd date. An echeque is dematerialized form of paper cheque An c-cheque is an alternative emerging to fit a broader range of paymcnt applications at lowcr costs. Customers who prcfcr to writc cheques and havc thc float time of 12 to 48 hours bcfore the cheques are posted to their accounts will find that e-cheques provide the most secure means of meeting this goal while assuring the merchant that the e-chcques are drawn on a bank and that the customcr has authority to draw funds from the account. There exist a well defincd lcgal framework for dealing various aspects of cheque payment. Thc liabilities and responsibilities of various parties are wcll defined. This niakcs papcr cheques as one of the most important paymcnt instrument. Another advantage of cheque is that i t can be used in any payment transaction. Thc payers and payce can be individuals, organizations, companies, government departtncnts ctc.

Poster Papers / 1437

Elcctronic Chequcs (c-chcqucs) are bascd on the idea that paper documents can be replaced with electronic documents and handwritten signatures can be replaced with digital signatures that can be automatically verified for authcnticity. Likc paper cheques, Electronic Cheques are legally binding orders to pay. On the screen it looks just like a papcr chequc and is filled out in the same way. It is embedded in a secure electronic file that contains userdefincd data rcgarding the purpose of the chcque. It also includes information found on a paper cheque such as payee name, payer account information, amount and date. The echcquc is designed to fit into existing cheque practices and systcnis with minimum impact on payers, payecs, banks, and thc financial system. E-Cheque offcrs many benefits to different parties. It is bascd on PKI and provides security in payment transaction. it is bascd on offline authcntication. This rcduccs thc implcmcntation and pcr transaction cost considerably. The paycr necd not be afraid that his account details can be known to others. It is not necessary for the payee to provide his rlccoiint dctails to the payer. Evcn if account details are known thcrc will bc sccurity for- thc payer. The lcgal framcwork of papcr cheque can be adopted with some modifications to handle the payment of e-cheque. The banks can implement e-cheque without any major investments. addition, these built-in security fcaturcs will afford Electronic Cheque users more protection against cheque fraud than is possible with paper cheques. 4. I Peer-to-Peer Transactions Currently, many payment systcins require users to employ intermediaries to facilitate transactions. These intermediaries may be value-added networks (VANS) or they may be banks. While many corporations derive great value from these services, others-particularly small or medium-sizcd firms-prefcr to handle their transactions directly. As a result, many businesses are scarching for alternatives in order to make or receive direct, peer-to-peer payments. Elcctronic Cheques maintain and enhance that lcvel of choice. They allow businesses to cffcct electronic paymcnt transactions dircctly with customers and suppliers. Participants in a transaction maintain total control over what and when to pay, where to deposit funds, or even whethcr to accept a paymerit. 4.2 Payment Flow Options Electronic Cheques also provide greater flexibility of information flow than is available with current electronic payincnt options. Today, most electronic paymcnts rcquirc that companies adhere to a prcdctermincd information flow at all times, regardless of whether it is convenient to do so. For example, credit card issuers stipulate that participating businesses be on-line to verify transactions. They also dictate the terms of the payment flow, which typically moves from the consumer to the card issuer to the business being paid. However, with paper chequcs. payment flow is far more flcxible. Payers and payees can arrangc to have chcques scnt dircctly to one another, to a lockbox or to a third party for certification. Electronic Cheques allow the same freedom. Parties using Electronic Cheques can create a paymcnt flow that best suits thcir nccds and schedules. 4.3 Dutu Support Much of the ease and convenience of the Electronic Cheque stems from the fact that it is designed to behave much like a paper cheque. However, the ways in which Electronic Cheques diffcr from their papcr counterparts also offer sonic real advantages. Paper cheques convey only limited information, such as the issuers name, the issuers bank and perhaps some detail about the transaction for which the cheque was written. Elcctronic Cheques, on the other hand, offer an information-rich payment alternative. Because they arc embedded in an electronic file, Elcctronic Cheques can convey a significant amount of information about paycr and payce, remittancc information and transaction terms. While some of this infonnation is necessary to effect the payment, and much of it does not required for the payment. A payec can strip remittancc information out of the ccheque filc as it passes through the paymcnt channcl. This means that e-cheque users can take full advantage of the echeques flexible data storage without necessarily passing


As Electronic Cheque is modeled after the paper cheque, it offers a number of advantages over othcr new electronic payment mechanisms. One advantagc is ease of use, because it Pollows the same payment flow as paper cheques, the Electronic Cheque is easy for new uscrs to, understand. Thc Elcctronic Chcqiic is dcsigned such that the same account, that also issues paper cheques can be used. Most busincsses will continue to issue Electronic Cheques as well as paper chcques from the same account. A sccond advantage is that the Elcctronic Cheque rcquires a minimal invcstmcnt in and implementation of, new technology. I n fact, sending or receiving Electronic Cheques requires only three simple elements. I . onc iiiust have thc capacity to send and receive emai l. 2. one must posscss thc neccssary sccurity hardware, such as a chip card or PCMCIA card reader, which soon will be standard equipment on all new PCs. 3. one must havc an account at a bank that offers Electronic Chcque scrvices.

A third advantagc of the Electronic Cheque is its efficiency and reliability. Because Electronic Cheques leverage the chequc scttlcmcnt structure already in place, banks will only nccd to makc a modcst investment to offer this new technology. With the technology in place, processing Electronic Chcques will bccome more efficient and reliable than paper chequcs because an Electronic Cheque .is cmbcddcd i n a filc containing account information, digital signaturcs and othcr data. Such clectronic detail cnables thc bank to verify and process each cheque automatically. In

TENCON 2003 / 1438

that information through thc paynicnt systcni. This will be a great benefit for transactions like healthcare or insurance transactions that include sensitive or confidential information. 4.4 Eifictive Security Standards Since the Electronic Chcque is intcnded for use over public information nctworks like the Internet, strong security safeguards have been incorporated into it. In particular, paycr and payec digital signatures are protected against tampering. The current strategy is to employ inexpcnsivc hardware tokens, such as chip or PCMCIA cards, that will add support and strcngth to thc cryptographic tcchnology currcntly, uscd to secure paycr and payee signatures. Coiifidcntial data that automates the requirements for signing and verifying Electronic Cheques will be sealed in these sccurity tokcns and used to issue an Elcctronic Chcque bcfore it reachcs thc payee. As a result, such data will rcmain unknown evcn to Electronic Chcque uscrs. Building such sccurity into the system does add some cost and removes some choice from users. However, it ensures protection for both trading partners by preventing system uscrs from unwittingly compromising each others private information, IDRBT has developed the prototype of e-cheque, which is suitable for Indian Banking environment. Thc explicit procedures for issue and payments were developcd. It ensures no duplicate payment takes placc. IDRBT is also working on handling multiparty and joint signatures. It is also proposed to take up the work of Clearing and Scttlcmcnt rclatcd to c-chcquc. authorization by the bank to provide or relcase valuc from a customers account. Given the inherent costs associated with the security and audit trails provided by Electronic Cheque, it is unlikcly that the systcm will be cost-cffective for very low valuc transactions, (bclow $ I ) , although, like papcr chequcs, e-chequcs can be written for any amount supported by a currency.

The authors, who were actively involved right from the beginning till end of this project, acknowledgcs the cfforts and activities carried out by thcir collcagues in IDRBT and members in CMC Ltd, and for the pilot run, the other partners in this project Hyderabad Water Supply and Scwerage Board and Andhra Bank, as merchant cstablishmcnt and participating bank respectively arc also acknowledged. We also acknowlcdgc Ministry of. Information Technology (MIT), Government of India for the funding the major portion and Project Review Steering Group (PRSG) for their timely valuable suggestions and regular monitoring the activities, of thc projcct.

1. U.S. B2B E-Commerce to Rcach $4.8 Trillion in

As part of this project [ 6 ] , thc following objcctivcs were achieved: Development of sccurity related products Development of e-payment methods Provide consultancy in the area of security Conduct Auditing of Security Conduct Training on Internet Commerce This helps for building a strategic c-commerce technology basc, from which Indian consumcr community and business organizations can benefit immensely. Autoiiiated Clcaring Housc (ACH) is the current system uscd for clcctronic funds transfers such as dircct deposit of payroll or automatic deduction of mortgages. While ACH works wcll for payments between established trading partners, it is not readily available in many other transaction situations. Unlike ACH, e-cheques can be used when payments must bc made dircctly between trading partners without a third party or significant pre-arrangement involving bank accounts. E-Cheques are well suited for secure business-to-business payments over the Internet. Elcctronic cheque, unlikc other systems; is bascd on the chcquc processing infrastructure and methodologies. Elcctronic Cheques do not, themselves, represent value, rather, they are an order to pay, and are used as

2004, Boston Consulting Group, September 6, 2000. SET is being published as an open specification for the industry. For more information on SET, sce h t tp :iiww w .sct g m g 3. Secure Socket Layer (SSL) developed by Netscape. For SSL 3.0, see more information on. I it 11) :iihonie .nctsca pc .coniicnvi ssi.;:i t itlcs .h t n i I. 4. Financial Scrvices Markup Languagc (FSML), developed by Financial Services Technology Consortium (FSTC). For more information, see http::iw\wi. fitc.orq 5 . Technologies for E-Commerce, Project Completion Report, November 200 I .